Canada: Personal Information Protection In Québec: Preparing For The Next Round Of "Bill 64" Amendments In September 2023

The second wave of "Bill 64" amendments to Québec's private-sector privacy legislation - the Act respecting the protection of personal information in the private sector ("PPIPS") - will take effect on September 22, 2023. In this post we look at five key changes that companies carrying on business in Québec will need to address between now and September 22. These include (i)a requirement to create personal information policies, (ii)new rights for individuals to withdraw consent or be de-indexed/re-indexed, (iii)a requirement to conduct privacy impact analyses in certain situations, (iv)a requirement for written data processing agreements with anyone to whom personal information is transferred, (v)substantial new monetary penalties.

These changes follow an earlier set of amendments under Bill 64, in effect since September 2022, that include requirements to appoint a person responsible for compliance with the legislation, to publish this person's title and contact information on their website and to implement a confidentiality incident response procedure.

1. Personal Information Policies Mandatory

As a further step to ensuring that entities processing personal information on Quebecers have appropriate governance structures in place, Bill 64 requires that businesses adopt policies and practices with respect to:

• retention and destruction of personal information;
• roles and responsibilities of employees handling personal information throughout its life cycle; and
• management of complaints.

These policies and practices should be in plain language and adapted to the sensitivity of the personal information in question and the nature of the business. They must be approved by the organization's data protection officer ("DPO") and detailed information about them published on the entity's website (or, if no website exists, be made available by another appropriate means).

Under Bill 64, notices provided to individuals whose personal information is being collected must include:

• the purposes for which the personal information is being collected;
• the means used to collect it;
• if applicable, the name of any third party on behalf of whom the personal information is being collected;
• if applicable, a statement noting the possibility that the personal information may be communicated outside Québec; and
• statements setting out the right of the individual:
  • to access and rectify any information that is collected; and
  • to withdraw consent to any further use and communication of the personal information.

A best practice would be to include this information in any public facing privacy notice. Additional disclosure requirements are incumbent on any entity that uses tracking technology and/or automated decision making.

2. New Rights for Individuals

In addition to the rights to access and rectify personal information, as of September 22, 2023, individuals will have the right to withdraw their consent to further use and/or communication of their personal information. Bill 64 also introduces two additional individual rights, each of which will be a first in Canada:

• the right to request a cessation of dissemination; and
• the right to de-indexation or re-indexation.

Bill 64 grants individuals the right to request that an entity cease disseminating their personal information or that any hyperlink attached to their name and providing access to their personal information be de-indexed if the dissemination of the information violates a law or a court order.

Bill 64 further allows the individual to request an end to dissemination, or to request de-indexation or re-indexation if all of the following apply:

• the dissemination of the information causes the person concerned serious injury in relation to their right to respect of their reputation or privacy;
• the injury is clearly greater than the interest of the public in knowing the information or the interest of any person in expressing themselves freely; and
• the cessation of dissemination, re-indexation or de-indexation request does not exceed what is necessary to prevent the perpetuation of the injury.

It should be noted that these are not absolute rights. A number of factors must be weighed in determining whether to grant a request to honour these rights, such as the identity of the person in question (e.g., a minor versus an adult who is a public figure), the sensitivity and the accuracy of the information or the context.

3. Privacy Impact Analysis

As of September 2023, privacy impact assessments ("PIA"s) will be required of entities before they can engage in privacy-sensitive activities such as:

• the acquisition, development or updating of an information system or electronic service delivery project involving the collection, use, communication, retention or destruction of personal information; or
• the communication of personal information outside of Québec.

PIAs, which are already common in Europe and in Canada's public sector, are not a one-size-fits-all exercise. Rather, they should be adapted to the sensitivity and quantity of information involved and are best conducted in consultation, from the outset of the project, with the organization's DPO, who may suggest measures to mitigate any privacy risk. An item that a PIA must address is the ability of the program or project to allow digitized personal information collected from the individual to be communicated to them in a structured, commonly used technological format. Another issue that must be addressed if the PIA concerns personal information that is to be transferred out of Québec is the strength of the personal information protection legislation in place in the receiving jurisdiction.

4. Data Processing Agreements

For entities that have not already done so, Bill 64 will now require that they enter into written data processing agreements with service providers to which they transfer personal information. These agreements must contain the following provisions:

• a description of the measures in place to:
  • protect the confidentiality of the information;
  • restrict the use of the information what is necessary; and
  • dispose of the information after the purposes for which it was collected have been fulfilled;
• a notice provision in the event the service provider is the victim of a data breach (or attempted breach) that could involve (or have involved) the information; and
• an audit provision.

5. Penalties

Finally, one of the most startling elements of Bill 64 is the new European-like penalties that will come into effect in September 2023. These include administrative monetary penalties of up to $50,000 per individual and up to the greater of $10,000,000 or 2% of worldwide turnover for the preceding year for a business that:

• fails to inform an individual of the sources of the personal information collected on them, the ends to which the information will be used, the methods used to collect it, the right to access and rectify, and the right to withdraw consent;
• collects, uses, communicates, stores or destroys personal information in breach of PPIPS;
• fails to report a confidentiality incident to the Commission d'accès à l'information ("CAI") or to the individuals whose personal information was compromised;
• does not take measures to implement appropriate security safeguards;
• fails to inform an individual of decisions based exclusively on automated decision making; or
• breaches the duties imposed on information agents.

Bill 64's penalties also include criminal sanctions consisting of fines from $5,000 to $100,000 for an individual or from $15,000 to the greater of $25,000,000 or 4% of worldwide turnover for the preceding year for a business that:

• collects, uses, communicates, stores or destroys personal information in breach of PPIPS;
• fails to report a confidentiality incident to the CAI or to the individuals whose personal information was compromised;
• does not take measures to implement appropriate security safeguards;
• breaches the duties imposed on information agents;
• hinders an investigation or inspection conducted by the CAI;
• takes retaliatory measures against a person who in good faith makes a complaint or cooperates with an investigation;
• refuses or neglects to comply with the CAI's request for documents enabling it to confirm compliance with Bill 64; or
• violates an order by the CAI.

Again, these are not one-size-fits-all penalties. A number of considerations will be taken into account in determining the nature and amount of the penalty, such as the nature and severity of the violation, how long the violation continued, the sensitivity of the personal information, the number of people whose personal information was compromised, the measures taken to mitigate, the compensation offered the victims, and the entity's ability to pay.

Finally, Bill 64 provides for punitive damages - and a private right of action - of at least $1,000 with respect to illicit, intentional, or gross violations of the privacy rights provided for in articles 55 to 40 of the Civil Code of Québec.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.